Data Protection

GDPR stands for the General Data Protection Regulation. GDPR came into effect on the 25th of May 2018, replacing the Data Protection Directive (DPD) and the UK Data Protection Act 1998.  Further to Brexit, the UK had adopted UK GDPR. The Data Protection Act (2018) refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.

GDPR applies to any organisation that processes and holds personal data UK citizens is obliged to abide by the laws set out in UK GDPR. GDPR affects every individual that stores or uses European personal data in and outside of the EU.

Under the GDPR, the College must observe six fundamental principles when processing personal data - including ensuring that their use of personal data is lawful, fair, and transparent. We must implement organisational and technical measures to protect it from misuse and exploitation.  Compliance also includes the maintenance of statutory documentation such as Data Protection Impact Assessments for high-risk processing and a Record of Processing Activities.

So, what exactly is personal data? Personal data means any information relating to an identified or identifiable natural person. Known as the ‘data subject’.

In other words, any information that clearly about a particular person. But how broadly does this apply?

The GDPR states that this applies where an individual can be identified directly or indirectly. Some of the followings are examples that can make an individual identifiable:

• Name;
• Identification number;
• Location data; and
• An online identifier
• Image

A name is perhaps the most common means of identifying someone. However, whether any potential identifier, including whether a name identifies an individual depends on the context.

By itself, the name ‘John Smith’ may not always be personal data because there are many individuals with that name. However, if the name is combined with other information (such as an address, a place of work, or a telephone number) this is often sufficient to clearly identify one individual.

Special Category Data

GDPR special category data is personal information of data subjects (individuals) that is especially sensitive. Special category data includes the following:

• Race and ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union memberships
• Biometric data used to identify an individual
• Genetic data
• Health data
• Data related to sexual orientation

Due to these data elements being particularly sensitive, the College must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. 

The College will only collect and process data that is necessary and we are forbidden from processing data unlawfully.  Examples of reasons why we ask for your data can vary from the College performing its public task, fulfilments of legal obligations and where an individual requires protection from harm.  Legislation protects your data against being processed where there is no existing lawful basis to do so.

The College has many Privacy Notices for various Departments to help you understand, how and why we collect your information. Privacy Notice - SERC

The Information Commissioners Office (ICO) states that, UK GDPR provides the following rights for individuals, which the College is complaint with:

• The Right to be informed;
• The Right of access:
• The Right to rectification;
• The Right to erasure;
• The Right to restrict processing;
• The Right to data portability;
• The Right to object;
• Rights in relation to automated decision-making and profiling. 

The College has one month to reply to all GDPR requests. For requests made on the weekend or on a holiday, organisations have the next working day to start the timer on their response. 

While individuals’ rights are paramount in GDPR the law does contain some provisions/exemptions where the College is not obliged to comply. Each request is assessed very carefully against legislation. Considering all surrounding factors if it is agreed that the College is unable to apply fully with your request, the College will provide reasoning for this, if possible. 

If you are unhappy with the College’s response to your Subject Access Request, please let us know by emailing informationrights@serc.ac.uk or addressing a letter to the Records Manager.

If you remain unhappy with the College’s response to your Subject Access Request, please contact the Information Commissioner at:

Information Commissioner’s Office  

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

If you have any concerns at all on how the College may be processing your data or if you believe the data, we hold on you is inaccurate, then please contact the Data Protection Officer, informationrights@serc.ac.uk

The College welcomes all means of support for our students however we must also comply with GDPR and the Data Protection Act (2018) which regulates how we process personal data, including any disclosures about our students.  This applies to all student information, even if they are under the age of 18.

The College is unable to discuss student information with anyone unless the student has provided this consent on their student account or where an individual has legal responsibility for a vulnerable adult.  During application and enrolment, the student is given opportunity to provide this consent and the name of the person to whom we can discuss their information with.

In an emergency e.g., where we have concerns about the life, health, and welfare of the student, we will make contact with the person identified as the ‘Emergency Contact’ on the student’s account.

While the College may not be able to discuss information with you, students can access their student profile from home, and this will contain their timetable, attendance register and various other aspects of their progress at the College.

Staff can answer any questions you may have about College processes e.g. EMA, Application process, Learning Support provision, and we have a suite of policies and procedures available on our website for your information.